Adding a certificate to the key database

You can use your own certificates or purchase certificates from a CA. Either can be installed and added to the key database. If you include the -stashpw parameter on a GSKit gsk8capicmd_64 command, the password that you define is saved for later use. The server and the storage agent create the key databases by using the stash facility.

The key database is created when you start the Tivoli® Storage Manager server. If the certificate is signed by a trusted CA, obtain the certificate, install it in the key database, and restart the server. Because the certificate is provided by a trusted authority, the certificate is accepted by Tivoli Storage Manager and communication between server and client can start.

gsk8capicmd_64 -cert -add -label "TSM061" -format ascii 
-file cert256.arm -db dsmcert.kdb -pw password

The cert256.arm file is generated by the server for distribution to the backup-archive clients, and for use in server-server communication and storage agent-server communication. The cert.arm file might also be generated by the V6.3 server, but is not designed for passwords that authenticate with an LDAP server.

If a certificate expires, the certificate is rejected when you attempt SSL communication. You must obtain a new certificate and add it to the key database for the server and the storage agent. The self-signed certificates for the server are created with an expiration time of 10 years. After 10 years, the certificates must be re-created and redistributed. You can re-create a self-signed certificate by deleting the cert.arm and cert256.arm files and by deleting the self-signed certificates from the key database. When you restart the server or the storage agent, new certificates and .arm files are created.

gsk8capicmd_64 -cert -list -db dsmcert.kdb -stashed